Re: [Dolibarr-dev] Pb with file upload

[Régis Houssin]

yes but my php is 5.3.6 with no magic_quote ! strange !


Le 02/06/12 13:46, Laurent Destailleur (eldy) a écrit :
> Yes. The initial sentence should be read like this :
> 
> "Note also that, IF YOU USE RECOMMANDED PHP SETUP, strisplashes should
> never..."
> instead of
> "Note also that strisplashes should never..."
> 
> If using old php setup (magi_quote_gpc), php make some undesired
> escaping that are not HTML, Shell, nor PHP, nor database escaping.
> striplashes was provided to solve this problem. So it can be used in
> main (to solve the PHP bug) but not into core business code. It could be
> removed completely when everybody will use a recent php version that
> does not contains this feature (considered as a bug by php team now,
> that's why this feautre is now complety removed in last php 5.4.0 version).
> 
> 
> Le 01/06/2012 21:04, Régis Houssin a écrit :
>> yes
>>
>> but your comment:
>>
>> "Note also that strisplashes should never be used anywhere in the code,
>> because strislashes is nor a HTML escape, nor a javascrip escape, nor a
>> shell or PHP escape function. If stripslashes is used somewhere, this
>> means there is a bug somewhere else."
>>
>> well you use it precisely in the main.inc.php :-)
>>
>> return (is_array($value) ? array_map('stripslashes_deep', $value) :
>> stripslashes($value));
>>
>>
>>
>>
>> Le 01/06/12 20:54, Laurent Destailleur (eldy) a écrit :
>>> I think i found the bug.
>>> I tried a fix into dev branch. Regis, does it works for you ?
>>>
>>>
>>> Le 01/06/2012 20:43, Régis Houssin a écrit :
>>>> yes but I added this in the function dol_unescape_file
>>>>
>>>> return trim(basename(stripslashes($filename)), ".\x00..\x20");
>>>>
>>>> you tried just making a "return $filename" ?
>>>>
>>>> you which version of php ?
>>>>
>>>>
>>>>
>>>>
>>>> Le 01/06/12 20:23, Laurent Destailleur (eldy) a écrit :
>>>>> Hum, strange.
>>>>> If i use  Capture d'ecran.docx
>>>>> i get into $_FILES
>>>>> Capture d'ecran.docx
>>>>>
>>>>> and not
>>>>> Capture d'ecran.docx
>>>>>
>>>>> A cake will be offered to people who can explain this difference !
>>>>> Well, we must find what is the criteria tha make this difference
>>>>> and use
>>>>> it to put a if inside the dol_unescape_file to have upload working on
>>>>> all situation.
>>>>>
>>>>> Can you send me your php.ini. I will compare with mine.
>>>>>
>>>>>
>>>>>
>>>>> Le 01/06/2012 11:13, Régis Houssin a écrit :
>>>>>> i use this file name : Capture d'ecran.docx
>>>>>> my function :
>>>>>>
>>>>>> trim(basename(stripslashes($filename)), ".\x00..\x20");
>>>>>>
>>>>>> common function found around the internet and can clean the file
>>>>>> name in
>>>>>> $ _FILES
>>>>>>
>>>>>>
>>>>>> print $_FILES : Capture d\'ecran.docx
>>>>>>
>>>>>>
>>>>>> with my function :
>>>>>> files is record with name : Capture d'ecran.docx
>>>>>> source code in link: Capture+d%27ecran.docx
>>>>>>
>>>>>> without my function:
>>>>>> files is record with name : Capture d\'ecran.docx
>>>>>> source code in link : Capture+d%5C%27ecran.docx
>>>>>> the file does not delete when I click on the trash
>>>>>>
>>>>>>
>>>>>>
>>>>>> Le 01/06/12 10:42, Laurent Destailleur (eldy) a écrit :
>>>>>>> I made a fix into dol_unescapefile file because file uplaod was
>>>>>>> broken
>>>>>>> on linux and windows.
>>>>>>> I had to remove the stripslashes. I don't see a reason to have
>>>>>>> it. May
>>>>>>> be there is a diff between mac and linux when uploading a file ?
>>>>>>>
>>>>>>> If you upload a file called
>>>>>>> a'b
>>>>>>> the $_FILES['userfile']['name']; exit;
>>>>>>> a'b
>>>>>>>
>>>>>>> Regis, can you confirm that submitting a file called
>>>>>>> a'b
>>>>>>> is still
>>>>>>> a'b
>>>>>>> if you make:
>>>>>>>
>>>>>>> print $_FILES['userfile']['name']; exit;
>>>>>>>
>>>>>>> just after the main.inc.php of a submitted document.php page (you
>>>>>>> must
>>>>>>> make show source of html page to see real content, for example with
>>>>>>> htdocs/societe/documents.php) ?
>>>>>>>
>>>>>>>
>>>>>> Cordialement,
>>>> Cordialement,
>> Cordialement,
> 

Cordialement,
-- 
Régis Houssin
---------------------------------------------------------
Cap-Networks
Cidex 1130
34, route de Gigny
71240 MARNAY
FRANCE
VoIP: +33 1 83 62 40 03
GSM: +33 6 33 02 07 97
Web: http://www.cap-networks.com/
Email: address@hidden

Dolibarr developer: address@hidden
Web Portal: http://www.dolibarr.fr/
SaaS offers: http://www.dolibox.fr/
Shop: http://www.dolistore.com/
Development platform: https://doliforge.org/
---------------------------------------------------------